Social Media and Patient Privacy in Healthcare
A Few Use Cases
Use Case #1:
A nurse at Texas Children’s Hospital was terminated for posting details of a patient’s condition in a Facebook group. The pediatric patient was too young to receive the measles vaccination and, unfortunately, he contracted the disease.
The nurse turned to an anti-vaccination group on Facebook, posting details of the boy’s condition. She said his condition didn’t change her stance, but she could understand why parents vaccinate out of fear of these illnesses. While she didn’t include the child’s name, the Facebook profile listed where she worked. One parent in the group had a child in the same hospital and, worried about exposure to the disease, posted screenshots of the post to the hospital’s Facebook page.
The hospital launched an investigation and immediately suspended the nurse.
Use Case #2:
During operations, a group of resident surgeons took pictures of their patients. The images were of body parts removed from the patients and uploaded online without consent.
In some pictures, the patients were still on the operating table. The patients could easily be identified in the images by anyone who knew them.
The suspected resident surgeons were subject to investigation and could be facing severe consequences due to HIPAA safety violations.
Protected Health Information (PHI)
Preserving privacy of patients’ protected health information (PHI) is one of the major concerns linked to social media in healthcare. Privacy and protection of such information are dealt with in federal law and overseen by the Department of Health and Human Services. States also may have such laws linked to privacy and security of PHI, which very well might be more strict than federal laws.
Since the boundaries between suitable versus unsuitable and personal versus professional social media use are clearly muddled at times, handling privacy risks can be demanding.
For example, numerous occasions have taken place in which healthcare workers have posted pictures of, or personal information about, patients on professional or individual social media pages deprived of the patient’s consent. Irrespective of whether these actions were deliberate or unintentional, they disregarded confidentiality and the patients’ privacy rights.
What Path Should a Healthcare Provider Take?
To begin, there is the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a federal law that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
In light of this, Healthcare Compliance Pros have come up with four major breaches of HIPAA compliance on social media:
- Posting information about patients to unauthorized users (even if their names are left out).
- Sharing photos of patients, medical documents or other personal information without written consent.
- Inadvertently exposing any of the above while sharing a picture of something else (e.g., visible documents in photos of employees)
- Assuming posts are deleted or private when they’re not.
Violations related to HIPAA laws have serious consequences, including job loss and other penalties. To avoid these, a proactive approach should include a regular risk assessment and corrective action plan.
Moreover, strict policies must be kept in place as to how employees can use social media. Healthcare organizations need to announce the correct procedures for any posts to social media and what isn’t acceptable at any time. Also, employees need to be reminded that they represent your healthcare center online and can accrue penalties for HIPAA violations with their social media posts, even via their personal accounts.
True, in the present technology-driven culture, it’s unreasonable to expect healthcare workers to completely keep away from social media, especially when many healthcare organizations utilize social media for their own digital marketing and learning functions.
Rather, healthcare organizations need to inform workers about social media risks, recommend best practices and initiate sensible social media guidelines.
Consider Some of the Following Policy Suggestions
- As part of the policies, prohibit or set limits on the photographic use of cell phones and other portable electronic devices.
- Train staff members on HIPAA and state privacy laws and educate them about the consequences of violation these laws by posting content on social media that contains patient details or identification information.
- Ask staff to sign confidentiality agreements and maintain a signed copy of the agreement.
- When posting content containing patient identifiable information to the organization’s social media sites, ensure patient consent is obtained.
- Make sure staff are aware that responding to a patient post or review on a social media site might violate HIPAA or state privacy laws.
- Understand the technical limits and terms and conditions of any social media sites that you plan to use.
Finally, Healthcare Professionals Need to Look at the Big Picture
It would be in everyone’s best interest for healthcare leaders to contact their Congressman and tell them why Congress must enact comprehensive data protection legislation to place strict limits on the collection, processing, use and retention of personal data by social networks and other such entities.
The Federal Trade Commission should also make use of its existing authority to rein in abusive data practices by social media companies. Both the FTC and Congress must take swift action to prevent monopolistic behavior and promote competition in the social media market.
The problem is, the healthcare industry is only just beginning to understand how much we lack control over personal data, and at the same time, Americans are putting more and more data onto social networks making it much harder to know how best to protect it. Once that data is out there, it’s very hard or almost impossible to get it back. Especially, in an efficient manner and in bulk volume.
At Medwave, we take HIPAA compliance very seriously. We never risk allowing client, patient data out the door, ever. We take every precaution available to make sure all patient data is processed safely and securely within our medical billing and credentialing services.